Decaf encoding is working, except by the choice of generator.

cloudflare · Jul 24, 2020 · daa36c1 · daa36c1
1 parent 8933f6c
commit daa36c1
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 38 deletions.
diff --git a/ecc/goldilocks/decaf.go b/ecc/goldilocks/decaf.go
@@ -1,8 +1,6 @@
 package goldilocks
 
 import (
-	"fmt"
-
 	fp "github.com/cloudflare/circl/math/fp448"
 )
 
@@ -23,7 +21,7 @@ func (d Decaf) Identity() *Elt { return &Elt{d.c.Identity()} }
 // Generator is
 func (d Decaf) Generator() *Elt {
 	g := d.c.Generator()
-	g.Double()
+	// g.Double()
 	return &Elt{g}
 }
 
@@ -49,39 +47,28 @@ func (d Decaf) Marshal(a *Elt) []byte {
 	x, y, ta, tb, z := a.p.x, a.p.y, a.p.ta, a.p.tb, a.p.z
 	t0, t1 := z, y
 	fp.SetOne(one)
-	fp.AddSub(&t0, &t1)        // (t0,t1) = (z+y,z-y)
-	fp.Mul(&t0, &t0, &t1)      // t0 = (z+y)*(z-y)
-	fp.Mul(&t0, &t0, &aMinusD) // t0 = (a-d)*(z+y)*(z-y)
-	fp.InvSqrt(r, one, &t0)    // r = 1/sqrt( (a-d)*(z+y)*(z-y) )
-
-	fmt.Println("r0: ", r)
-	fp.Abs(r) // r = Takes the non-negative root.
-	fmt.Println("r0: ", r)
-	fp.Mul(u, r, &aMinusD)  // u = (a-d)*r
-	fp.Mul(&t0, u, &z)      // t0 = u*Z
-	fp.Add(&t0, &t0, &t0)   // t0 = 2*u*Z
-	fp.Neg(&t0, &t0)        // t0 = -2*u*Z
-	isNeg := fp.Parity(&t0) // isNeg = sgn(t0)
-	fp.Neg(&t1, r)          // t1 = -r
-	fmt.Println("r1: ", r)
+	fp.AddSub(&t0, &t1)          // (t0,t1) = (z+y,z-y)
+	fp.Mul(&t0, &t0, &t1)        // t0 = (z+y)*(z-y)
+	fp.Mul(&t0, &t0, &aMinusD)   // t0 = (a-d)*(z+y)*(z-y)
+	fp.InvSqrt(r, one, &t0)      // r = 1/sqrt( (a-d)*(z+y)*(z-y) )
+	fp.Mul(u, r, &aMinusD)       // u = (a-d)*r
+	fp.Mul(&t0, u, &z)           // t0 = u*Z
+	fp.Add(&t0, &t0, &t0)        // t0 = 2*u*Z
+	fp.Neg(&t0, &t0)             // t0 = -2*u*Z
+	isNeg := fp.Parity(&t0)      // isNeg = sgn(t0)
+	fp.Neg(&t1, r)               // t1 = -r
 	fp.Cmov(r, &t1, uint(isNeg)) // if -2*u*Z is negative then r = -r
-	fmt.Println("r1: ", r)
-	fp.Mul(&t1, &ta, &tb)     // t1 = Ta*Tb = T
-	fp.Mul(&t1, &t1, &y)      // t1 = Y*T
-	fp.Mul(&t1, &t1, &paramD) // t1 = d*Y*T
-	fmt.Println(">t1: ", t1)
-	fp.Mul(&t0, &z, &x)   // t0 = a*Z*X
-	fp.Sub(&t0, &t0, &t1) // t0 = a*Z*X - d*Y*T
-	fmt.Println(">t0: ", t0)
-	fp.Mul(&t0, &t0, r) // t0 = r*(a*Z*X - d*Y*T)
-	fmt.Println(">t0: ", t0)
-	fp.Add(&t0, &t0, &y) // t0 = r*(a*Z*X - d*Y*T) + Y
-	fp.Mul(s, &t0, u)    // s = (u/a)*(r*(a*Z*X - d*Y*T) + Y)
-	fmt.Println("s1: ", s)
+	fp.Mul(&t1, &ta, &tb)        // t1 = Ta*Tb = T
+	fp.Mul(&t1, &t1, &y)         // t1 = Y*T
+	fp.Mul(&t1, &t1, &paramD)    // t1 = d*Y*T
+	fp.Mul(&t0, &z, &x)          // t0 = a*Z*X
+	fp.Sub(&t0, &t0, &t1)        // t0 = a*Z*X - d*Y*T
+	fp.Mul(&t0, &t0, r)          // t0 = r*(a*Z*X - d*Y*T)
+	fp.Add(&t0, &t0, &y)         // t0 = r*(a*Z*X - d*Y*T) + Y
+	fp.Mul(s, &t0, u)            // s = (u/a)*(r*(a*Z*X - d*Y*T) + Y)
 	isNeg = fp.Parity(s)         // isNeg = sgn(s)
 	fp.Neg(&t1, s)               // t1 = -s
 	fp.Cmov(s, &t1, uint(isNeg)) // if s is negative then s = -s
-	fmt.Println("s1: ", s)
 
 	var encS [fp.Size]byte
 	_ = fp.ToBytes(encS[:], s)

diff --git a/ecc/goldilocks/decaf_test.go b/ecc/goldilocks/decaf_test.go
@@ -8,15 +8,24 @@ import (
 
 func TestDecafDevel(t *testing.T) {
 
-	var c Curve
-	G := c.Generator()
-	// _2G := c.Double(G)
-	Q := c.push(G)
-	fmt.Printf("G: %v\n", Q)
+	// var c Curve
 	var d Decaf
+	GE := d.Generator()
+	fmt.Printf("GE: %v\n%v\n\n", GE, hex.EncodeToString(d.Marshal(GE)))
+
+	Q := d.Identity()
+	for i := 0; i < 100; i++ {
+		fmt.Printf("%v\n", hex.EncodeToString(d.Marshal(Q)))
+		Q = d.Add(Q, GE)
+	}
+	// fmt.Printf("2GE: %v\n%v\n\n", GE, enc(GE))
+
+	// GT := c.push(GE)
+	// GT.ToAffine()
+	// fmt.Printf("GT: %v\n%v\n", GT, enc(GT))
 
 	// fmt.Printf("0: %v\n", hex.EncodeToString(d.Marshal(d.Identity())))
-	fmt.Printf("G: %v\n", hex.EncodeToString(d.Marshal(d.Generator())))
+	// fmt.Printf("G: %v\n", hex.EncodeToString(d.Marshal(d.Generator())))
 	// P := d.Generator()
 	// fmt.Printf("G:\n%v\n%v\n", P, hex.EncodeToString(d.Marshal(P)))
 	// for i := 1; i < 2; i++ {
@@ -25,3 +34,19 @@ func TestDecafDevel(t *testing.T) {
 	// fmt.Printf("[2^%v]G: %v\n", i, hex.EncodeToString(d.Marshal(P)))
 	// }
 }
+
+func BenchmarkDecaf(b *testing.B) {
+	var d Decaf
+	G := d.Generator()
+	enc := d.Marshal(G)
+	b.Run("Marshal", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			d.Marshal(G)
+		}
+	})
+	b.Run("Unmarshal", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			d.Unmarshal(enc)
+		}
+	})
+}